#*%! my CISO Says

Barry Caplin Chief Information Security Official

Fairview Health Services

Argyle CISO Summit Wed. Nov. 19, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com

Barry Caplin Chief Information Security Official

Fairview Health Services

tuff

Argyle CISO Summit Wed. Nov. 19, 2014 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com

Security Isn’t Easy…

We didn’t get into it for the…

And how do we get their attention and support?

Nobody cares about Security… The Challenge of Security Awareness

Why?

Stuff happens…

• Security viewed as a negative • Avoidance v. “risk”

– Delays – Cost – Extra work – “Gotchas”

Issues

It Can’t Be Just…

We need sensible controls…

… early in the process…

Good CISO/Bad CISO

Governance Governance… We don’t need no stinkin’ governance!

Bad CISO

“Badges?...”

Governance Develop a clear strategy using an industry standard framework.

Policy All Security Policy is the same. I got mine from a book.

“Hello Mr. Anderson”

Bad CISO

Policy Policies are based on solid principles, but adapted to fit the organization.

“Fate, it seems, is not without a sense of irony.”

Compliance We write the policies. We make people sign an oath. Done.

“So there is a point you will not go beyond.”

Bad CISO

Compliance We must make (understandable) policies. We must teach. We must assess, measure and report.

“It's like a finger pointing away to the moon...”

Awareness Users will know what they have to do or be eliminated. Bad CISO

“The successful criminal brain is always superior. It has to be.”

Awareness Users can talk to Security. We teach. We answer questions.

“Shaken, not stirred”

Senior Management I say what they want to hear. They’re not listening anyway.

Bad CISO

“Why make a trillion when we could make... billions?”

Senior Management Give them the info they need and they will be an engaged partner.

“Smashing Baby!”

Bad CISO

“Your lack of faith is disturbing”

Business Needs I buy the best known security products because they’ve got to be good.

“The Force is strong with this one.”

Business Need Working together we find control- and cost-effective security products that work and are usable.

Stuff I Say…

KISS

Stuff I Say…

No one has “read and understood” • but definitely still responsible • Simple, direct language in policy • Compliance via education

Stuff I Say…

You pay by the word • Keep policies short and sweet • If not, you’ll pay on the compliance-effort side

Stuff I Say…

People want to do the right thing • but what is the right thing? • Understandable policy • Simple rules

Stuff I Say…

Do What Makes Sense • Risk Management approach • Seek out and destroy meaningless policy/controls/practices

Stuff I Say…

Iterative Improvement • Maturity model • CObIT, SEI CMMI

Stuff I Say…

Automation! • Metrics • Tools • Reporting

Stuff I Say…

What is the business need? • Find out business need in plain business language

Stuff I Say…

Have Fun!

about.me/barrycaplin

Securityandcoffee .blogspot.com

@bcaplin